Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Installation and Upgrades / AD ssh logins (zentyal 3.5 sssd)
« on: October 02, 2014, 09:23:17 am »
perhaps a bug, perhaps a "feature".
But I've found that since 3.5 and zentyal now using SSSD for auth. I wasn't able to login with the AD users previously available in 3.2.
To get them working, the users needed the Unix attributes set, which didn't appear to be set in 3.2?
The attribute to set are gidNumber, uidNumber, loginShell and unixHomeDirectory and can be done via the windows AdsiEdit tool.
Now you've done that, you can confirm the user is available to the additional domain controller's auth system now as below:
# getent passwd username
username:*:10001:10001:test user:/home/test:/bin/sh
unfortunately, this still wont let you login!! grrr.
by modifying the /etc/pam.d/common-* files as per below you will now be able to login.
#/etc/pam.d/common-account
Right after the pam_unix.so line, add
account [default=bad success=ok user_unknown=ignore] pam_sss.so
#/etc/pam.d/common-password
Right after the pam_unix.so line, add
password sufficient pam_sss.so use_authtok
#/etc/pam.d/common-session
Just before the pam_unix.so line, add
session optional pam_mkhomedir.so
Right after the pam_unix.so line, add
session optional pam_sss.so
Edits suggestions came from this fedora doc:
https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server#ConfigureNSSPAMmanually
But I've found that since 3.5 and zentyal now using SSSD for auth. I wasn't able to login with the AD users previously available in 3.2.
To get them working, the users needed the Unix attributes set, which didn't appear to be set in 3.2?
The attribute to set are gidNumber, uidNumber, loginShell and unixHomeDirectory and can be done via the windows AdsiEdit tool.
Now you've done that, you can confirm the user is available to the additional domain controller's auth system now as below:
# getent passwd username
username:*:10001:10001:test user:/home/test:/bin/sh
unfortunately, this still wont let you login!! grrr.
by modifying the /etc/pam.d/common-* files as per below you will now be able to login.
#/etc/pam.d/common-account
Right after the pam_unix.so line, add
account [default=bad success=ok user_unknown=ignore] pam_sss.so
#/etc/pam.d/common-password
Right after the pam_unix.so line, add
password sufficient pam_sss.so use_authtok
#/etc/pam.d/common-session
Just before the pam_unix.so line, add
session optional pam_mkhomedir.so
Right after the pam_unix.so line, add
session optional pam_sss.so
Edits suggestions came from this fedora doc:
https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server#ConfigureNSSPAMmanually
2
News and Announcements / Re: Zentyal 3.5 Roadmap announced (some modules moved to Contrib)
« on: April 30, 2014, 04:12:22 am »
with the removal of openldap support, what happens to ldap ssh type logins, will this still work via the samba ldap 
3
Installation and Upgrades / Re: Run backup manually
« on: March 05, 2013, 09:56:34 am »
zentyal 3.0 has a frontend (System -> Import/Export Configuration), but if your wanting to cron it.
/usr/share/zentyal/make-backup
backups saved in /var/lib/zentyal/conf/backups/
Options available.
Usage:
./make-backup [OPTION]...
./make-backup --help
Options:
--config-backup (default backup mode)
--configuration-report --bug-report
--description <description>
--fallback-to-ro
--remote-backup <name>
--progress-id (only needed for web framework)
Sorry i know its a bit of an old topic, but i thought for completeness, i would add it here.
/usr/share/zentyal/make-backup
backups saved in /var/lib/zentyal/conf/backups/
Options available.
Usage:
./make-backup [OPTION]...
./make-backup --help
Options:
--config-backup (default backup mode)
--configuration-report --bug-report
--description <description>
--fallback-to-ro
--remote-backup <name>
--progress-id (only needed for web framework)
Sorry i know its a bit of an old topic, but i thought for completeness, i would add it here.
4
Installation and Upgrades / Re: Setting up Zentyal 3.0 as a PDC documentation
« on: November 02, 2012, 07:00:52 am »Questions 1html is an excellent format for openess, ichat mentions in his post at the start about adding it to the "Zentyal Wiki" which i believe is found here: http://trac.zentyal.org/wiki/Documentation/Community
Which format should I publish it in? I was thinking of just putting it in a webpage so that people could literally just browse to it in the attachments.
you only require a valid forum login to update it, and some Zentyal 3 content would be great.
It also, may get incorporated/linked by official zentyal docs if found useful.
Question 2this will depend on many things.
I was thinking about the whole web cache thing how much would be sufficient?
- what OS's your supporting. (eg winXp, Win7, Win8) As each OS will have their own Updates, then you have the 386 and x64 variants
- How far back in updates you want to support. eg winXP pre SP1 and all updates to current?
Personally, 10-20gb aside will be heaps, if you can spare more just bump it up further, as it will also transparently cache other websites/etc. You'll find most machines will be at a similar level of updates, so you only really ever need to cache the most recent updates. Once the cache is full it drops off the oldest/least used file and will have to download it again at that point - e.g. A fresh install which needs to get old updates that are no longer held in the cache.
p.s. make sure that your maximum cache file size is adjusted to ~300mb (so it caches service packs etc)
5
Installation and Upgrades / Re: Setting up Zentyal 3.0 as a PDC documentation
« on: November 02, 2012, 03:15:40 am »if there could be a webbased implementation of thair tool, to configure and download these updates, it could even be a valuable module for zentyal users with windows clients...
personally in the past I've just installed a transparent web-cache like squid (or zentyals HTTP Proxy (Cache and Filter) should suffice) with sufficient cache size, after the initial download all the other pc's in the network will just use the cache copy
only thing this doesn't really give you is the granularity in choosing what updates are rolled out to the network. as you'll just set all the pcs to do automatic updates.
6
Installation and Upgrades / Re: Setting up Zentyal 3.0 as a PDC documentation
« on: November 02, 2012, 03:09:23 am »
Thanks benronlund for your right up, this helped with my first setup/trial of zentyal with samba4.
Couple things to note and perhaps help for your next update of your documentation.
- i found your steps of the "Initial Configuration Wizard" a bit light so i suggest this write up as a reference or borrow the pictures
http://doc.zentyal.org/en/installation.html#initial-configuration
- When doing the "Initial Configuration Wizard" ensure the "host domain name" you enter reflects the domain-name with the .lan (or similar) at the end - as i had trouble joining the domain if the kerbos realm and samba domain did not match.
- if you've set everything up correctly, there is no need to do the .reg hack as zentyal 3.0 uses samba4 - eg is an Active Directory member. the .reg hack was for connecting to samba3 type servers.
- I've now installed and got a windows 8 pro (effectively the same as win7) computer to connect to the domain without the .reg hack
-- TIP: i configured the dns of the windows 8 machine to go through the samba server.
- perhaps add some links to the Microsoft site for downloading the admin packs.
win8 remote server admin tools - http://www.microsoft.com/en-au/download/details.aspx?id=28972
- NOTE: for win8 ensure En-US language pack is installed for this to install (via control panel)
win7 remote server admin tools(sp1) - http://www.microsoft.com/en-au/download/details.aspx?id=7887
Group Policy Mgmt tools (GPMC) - http://www.microsoft.com/en-au/download/details.aspx?id=21895
ok, while a bit off topic, there is also some nice write ups on the samba website for connecting/managing and also converting old samba3 domains and computers to samba4.
https://wiki.samba.org/index.php/Samba4/videos
https://wiki.samba.org/index.php/Samba4/HOWTO#Migrating_an_Existing_Samba3_Domain_to_Samba4
Couple things to note and perhaps help for your next update of your documentation.
- i found your steps of the "Initial Configuration Wizard" a bit light so i suggest this write up as a reference or borrow the pictures
http://doc.zentyal.org/en/installation.html#initial-configuration
- When doing the "Initial Configuration Wizard" ensure the "host domain name" you enter reflects the domain-name with the .lan (or similar) at the end - as i had trouble joining the domain if the kerbos realm and samba domain did not match.
- if you've set everything up correctly, there is no need to do the .reg hack as zentyal 3.0 uses samba4 - eg is an Active Directory member. the .reg hack was for connecting to samba3 type servers.
- I've now installed and got a windows 8 pro (effectively the same as win7) computer to connect to the domain without the .reg hack
-- TIP: i configured the dns of the windows 8 machine to go through the samba server.
- perhaps add some links to the Microsoft site for downloading the admin packs.
win8 remote server admin tools - http://www.microsoft.com/en-au/download/details.aspx?id=28972
- NOTE: for win8 ensure En-US language pack is installed for this to install (via control panel)
win7 remote server admin tools(sp1) - http://www.microsoft.com/en-au/download/details.aspx?id=7887
Group Policy Mgmt tools (GPMC) - http://www.microsoft.com/en-au/download/details.aspx?id=21895
ok, while a bit off topic, there is also some nice write ups on the samba website for connecting/managing and also converting old samba3 domains and computers to samba4.
https://wiki.samba.org/index.php/Samba4/videos
https://wiki.samba.org/index.php/Samba4/HOWTO#Migrating_an_Existing_Samba3_Domain_to_Samba4
7
Installation and Upgrades / [solved] How to create custom advanced firewall rules?
« on: July 19, 2010, 06:51:09 am »
Thanks sixston, i should have thought of that one.
FYI for others wanting to do similar things. you can also use a number for where abouts to insert it (only benefit of doing such is for rule efficiencies, ie match our most used rules first)
# puts it in the 10th rule position
sudo iptables -I 10 INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHSCAN
FYI for others wanting to do similar things. you can also use a number for where abouts to insert it (only benefit of doing such is for rule efficiencies, ie match our most used rules first)
# puts it in the 10th rule position
sudo iptables -I 10 INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHSCAN
8
Installation and Upgrades / How to create custom advanced firewall rules?
« on: July 16, 2010, 05:42:12 am »
Hi,
I want to know if there is correct place for putting a custom rule?? I'm wanting to create the following custom ruleset which obviously can't be done by the frontend.
FYI - The rule below matches a port (in this case SSH) counts how many from a single IP in a certain period and then blocks the IP for X-seconds when the hitcount is reached (and logs it).
*filter
sudo iptables -N SSHSCAN
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHSCAN
sudo iptables -A SSHSCAN -m recent --set --name SSH --rsource
sudo iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 4 --name SSH --rsource -j LOG --log-prefix "SSH SCAN blocked: " --log-level 6
sudo iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 4 --name SSH --rsource -j DROP
I've tried putting it in /etc/ebox/hooks/firewall.postservice but this runs too late causing it to be inserted after the drop all.
I want to know if there is correct place for putting a custom rule?? I'm wanting to create the following custom ruleset which obviously can't be done by the frontend.
FYI - The rule below matches a port (in this case SSH) counts how many from a single IP in a certain period and then blocks the IP for X-seconds when the hitcount is reached (and logs it).
*filter
sudo iptables -N SSHSCAN
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHSCAN
sudo iptables -A SSHSCAN -m recent --set --name SSH --rsource
sudo iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 4 --name SSH --rsource -j LOG --log-prefix "SSH SCAN blocked: " --log-level 6
sudo iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 4 --name SSH --rsource -j DROP
I've tried putting it in /etc/ebox/hooks/firewall.postservice but this runs too late causing it to be inserted after the drop all.
Pages: [1]